[12/Aug/2004:17:17:17][17642.1024][-main-] Notice: modload: loading '/sm/aolserver4.0.7/bin/nsopenssl.so' [12/Aug/2004:17:17:17][17642.1024][-main-] Notice: nsopenssl (server1): loading SSL context 'users' [12/Aug/2004:17:17:17][17642.1024][-main-] Notice: nsopenssl (server1): 'users' ciphers loaded successfully [12/Aug/2004:17:17:17][17642.1024][-main-] Notice: nsopenssl (server1): 'users' using SSLv2 protocol [12/Aug/2004:17:17:17][17642.1024][-main-] Notice: nsopenssl (server1): 'users' using SSLv3 protocol [12/Aug/2004:17:17:17][17642.1024][-main-] Notice: nsopenssl (server1): 'users' using TLSv1 protocol [12/Aug/2004:17:17:17][17642.1024][-main-] Debug: KeyFile = /sm/aolserver/servers/server1/modules/nsopenssl/key.pem; CertFile = /sm/aolserver/servers/server1/modules/nsopenssl/certificate.pem [12/Aug/2004:17:17:17][17642.1024][-main-] Notice: nsopenssl (server1): 'users' certificate and key loaded successfully [12/Aug/2004:17:17:17][17642.1024][-main-] Notice: nsopenssl (server1): 'users' failed to load CA certificate file '/sm/aolserver/servers/server1/modules/nsopenssl/ca-client/ca-client.crt' [12/Aug/2004:17:17:17][17642.1024][-main-] Error: nsopenssl (server1): 'users' CA certificate file is not readable or does not exist [12/Aug/2004:17:17:17][17642.1024][-main-] Notice: users (nsopenssl): session cache is turned on for sslcontext 'server1' [12/Aug/2004:17:17:17][17642.1024][-main-] Notice: nsopenssl (server1): default SSL context for server is users [12/Aug/2004:17:17:17][17642.1024][-main-] Notice: default server SSL context: users [12/Aug/2004:17:17:17][17642.1024][-main-] Notice: nsopenssl (server1): loading 'users_drv' SSL driver
What is ca-client.crt? The certificate and key .pem files are there. I continue to get errors like this: [12/Aug/2004:17:20:32][17642.9226][-conn:server1::4] Debug: SSLOp(21-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [12/Aug/2004:17:20:32][17642.9226][-conn:server1::4] Error: nsopenssl (server1): SSL error on reading data I suspect that some browser is causing the crashing problems. The above was the error was the last one in the log before the server died. Nate On Thu, 12 Aug 2004 17:20:25 -0400, Dossy Shiobara <[EMAIL PROTECTED]> wrote: > OK, so after all the buzz, I started doing some testing of nsopenssl 3 > beta and here's what I've learned so far: > > I'm using "OpenSSL 0.9.7d 17 Mar 2004" and the latest checkout of > nsopenssl 3 beta from CVS HEAD. > > 1. If the certificate and key .pem files aren't in the modules/nsopenssl > dir, the server will still start up (and logs an error) and will > accept SSL connections, but causes the server to spin with the > following error: > > [12/Aug/2004:16:41:49][5459.1088261040][-nsopenssl:reader-] Debug: SSLOp(19-0): > SSL_ERROR_SSL: bytes = 199; total = 0; rc = -1 > [12/Aug/2004:16:41:49][5459.1088261040][-nsopenssl:reader-] Error: nsopenssl > (server1): SSL error on reading data > > Is it ever possible to service a SSL request if you don't have the > server certificate loaded? If we can't load the cert, perhaps we > shouldn't open the socket for listening and accept connections on it. > > 2. The example nsd.tcl that's provided in the nsopenssl specifies > "SSLv3, TLSv1" for the server protocols. An SSLv2 client connection > causes a similar SSL error as above. Adding "SSLv2" to the list seems > to make SSLv2 requests work just fine. > > Janine and others: do you have "SSLv2" in the list of protocols > configured in your server context for the nsopenssl module? If not, > when you DO get an SSLv2 connection, your server will spin throwing lots > of noise in the server log. > > If you do have SSLv2 in the protocols list and are still seeing the > problem, then I don't know what's wrong. Once I set up the certificate > and key .pem files so that nsopenssl could load them, and added "SSLv2" > to the list, and configure the "maxinput" parameter correctly, I haven't > been able to reproduce the error. > > For details on how to configure maxinput, see: > > TIP: configuring "maxinput" for nsopenssl > http://www.mail-archive.com/[EMAIL PROTECTED]/msg07365.html > > I'm now looking around for SSL protocol testing software -- not plain > load generation software, there's plenty of that around. I want a > package that specifically sends a mix of good SSL connections as well as > bad ones: "defects" in the SSL handshake process, bad payload data, > hard connection drops in mid-send or mid-receive. If anyone knows of > such a tool, please let me know their names and vendors. Thanks. > > -- Dossy > > -- > Dossy Shiobara mail: [EMAIL PROTECTED] > Panoptic Computer Network web: http://www.panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > > -- > AOLserver - http://www.aolserver.com/ > > To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with > the > body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field > of your email blank. > -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
